Technology has revolutionized the way that consumers make purchases and expanded the range of retail channels. Goods may be purchased in a range of ways including traditional face-to-face purchases, mail order and telephone order as well as more recent retail formats such as Internet shopping, purchase by mobile phone and other contactless purchase methods. The number of payment options has also expanded to suit and include credit cards, debit cards, charge cards, contactless wallet payment systems such as Oyster, Speedpass and vending cards, direct debit from bank accounts and payment using mobile phone accounts. This proliferation of payment and retail systems, whose transactions are often conducted remotely or between consumers and merchants who have little or no prior relationship, has led to a change in the security challenges faced by consumers, merchants and financial institutions.
Using existing payment card systems in transactions such as mail order, Internet shopping and purchases over the telephone, a consumer gives their complete payment and identity details up front and has to trust that the goods and services will be delivered and that the merchant is legitimate and uses the details given only for processing that order. This exposes the consumer to identity theft, theft of payment details and payment fraud via, for example, phishing, swiping cards through non-authorized card readers and simple misuse or copying of card details. These theft and fraud threats are not presently secured by existing payment security methods such as those typically employed by credit card processors. Similarly, merchants must trust that the consumer has given the correct identity, is an authorized user of the payment method and that the payment details are correct. In addition, merchants are exposed to identity fraud or deception where payment or account details have been stolen.
To meet these challenges, credit card companies and financial institutions are putting security measures into place. The introduction of chip and PIN (EMV authentication) in the UK for card transactions has reduced fraud in the face-to-face market. Whilst this is undoubtedly a significant improvement in security, face-to-face fraud does still occur, exemplified by some major merchants withdrawing their chip and PIN payment terminals after their compromise. Indeed, a direct consequence of chip and PIN at point of sale is that consumers are now open to greater risk of shoulder surfing. Further threats to security may arise from the use of electronic “bugging” equipment in point of sale terminals.
Card detail theft is also an issue, with fraudsters using legitimate card details to perpetrate non-face-to-face and face-to-face payment theft. This is because existing terminals and PIN pads are designed to accept many cards from consumers without requiring specific validation by the merchant or staff members before use. In addition, terminals that are not validated by the registered merchant can give rise to high fraud levels if compromised. This is due to the lack of accountability over their security, and the nature, size and technical needs of existing terminals and PIN pads, making it difficult to keep them secure when not being used. Furthermore, card details taken from the face and back of payment cards can be fraudulently used across non-chip and PIN channels.